North Korean cyberattacks: record of US$2.0 billion stolen in cryptocurrencies during 2025

North Korean hackers reached an unprecedented criminal milestone in 2025, stealing at least US$2.0 billion in digital assets, according to a comprehensive analysis by Chainalysis. This figure represents a 51% increase over the previous year, raising the Democratic People’s Republic of Korea’s total haul to US$6.75 billion in recent years. The pattern reveals a strategic shift: fewer incidents but exponentially more destructive.

The escalation of crime: from mass attacks to surgical operations

The cybercrime landscape experienced a radical turn in 2025. While traditional cybercriminals spread their efforts across multiple lower-value targets, actors linked to North Korea concentrate their resources on high-impact targets. North Korean groups were responsible for 76% of all service-level breaches in 2025, the highest percentage recorded to date, according to Chainalysis data.

This selective approach contrasts sharply with previous years. Personal wallet compromises dropped significantly, accounting for only 20% of the total value stolen in 2025 (a decrease from 44% in 2024). Although the number of incidents against individual users increased to 158,000, the average amount stolen per victim plummeted 52% to a total of US$713 million. The data suggest a deliberate reorientation toward corporate targets and centralized platforms, where massive gains can be made in single operations.

Laundering patterns: North Korea’s digital footprint

Forensic analysis reveals sophisticated fund concealment patterns that distinguish North Korean actors from other cybercriminals. Unlike criminal groups that perform large direct transfers, North Korean hackers meticulously fragment their loot into transactions of less than US$500,000, minimizing automatic detection.

Chainalysis identified a highly specialized laundering infrastructure: funds flow consistently through mixers, crypto bridges, and brokers operated in Chinese language. This reliance on regional facilitators suggests structural limitations and possible agreements with local intermediaries. Notably, they avoid DeFi lending protocols and decentralized exchanges favored by other criminals, indicating restrictions on access to the broader global financial infrastructure.

The typical window for converting and withdrawing funds follows a consistent schedule of approximately 45 days. This predictable cycle passes through distinct phases: from initial obfuscation of the source of funds to final integration into local economies. Andrew Fierman, head of national security intelligence at Chainalysis, noted that this consistency provides valuable opportunities for compliance teams and law enforcement investigators to intercept resources before their final conversion to cash.

Artificial intelligence: North Korea’s new superpower in crime

A particularly troubling finding is the emerging role of artificial intelligence in North Korean money laundering operations. According to Fierman, “North Korea facilitates the laundering of its cryptocurrency thefts with a consistency and fluidity indicative of AI use.” The operational sophistication required to execute colossal volume thefts and simultaneously automate multi-asset laundering suggests intelligent systems in operation.

The laundering mechanism integrates mixers, crypto bridges, and DeFi protocols from the early stages, automating conversion between multiple digital assets. “To achieve this level of efficiency, North Korea needs a large laundering network, along with optimized mechanisms likely manifested through AI use,” Fierman explained. The ability to process billions while maintaining stealth operations suggests that intelligent automation is central to North Korea’s strategy.

The shift in the global cybercrime landscape

Findings point to an increasingly polarized threat environment. On one side, traditional criminals carry out mass low-value thefts. On the other, North Korea conducts rare but catastrophic assaults on crypto service platforms, firmly occupying the center of these mega-scale operations.

This trend has profound implications for the global security of digital assets. While surveillance and defenses are strengthened against conventional threats, the combination of technical sophistication, state resources, and AI potential in the hands of North Korean actors represents an emerging frontier in cyber warfare. As 2025 closes, there are no signs that these attack efforts will diminish, suggesting that North Korea-linked cybercrime will remain a predominant threat in the cryptocurrency ecosystem in the coming period.